b"Board of Governors of the Federal Reserve System\n\n\n\n\n         Audit of the Board\xe2\x80\x99s\n    Information Security Program\n\n\n\n\n       Office of Inspector General\n\n\n                                          November 2011\n\x0c\x0c                                       November 14, 2011\n\n\nBoard of Governors of the Federal Reserve System\nWashington, DC 20551\n\nDear Members of the Board:\n\n      The Office of Inspector General (OIG) is pleased to present its report on the Audit of the\nBoard\xe2\x80\x99s Information Security Program. We performed this audit pursuant to requirements in the\nFederal Information Security Management Act of 2002 (FISMA), Title III, Public Law 107-347\n(December 17, 2002), which requires each agency Inspector General (IG) to conduct an annual\nindependent evaluation of the agency\xe2\x80\x99s information security program and practices. Our specific\naudit objectives, based on the legislation\xe2\x80\x99s requirements, were to evaluate the effectiveness of\nsecurity controls and techniques for selected information systems and compliance by the Board\nof Governors of the Federal Reserve System (Board) with FISMA and related information\nsecurity policies, procedures, standards, and guidelines. We also followed up on the status of the\nBoard\xe2\x80\x99s corrective actions in response to open recommendations from our prior FISMA reports\nand security control reviews of specific systems. We conducted our audit of the Board\xe2\x80\x99s\ncompliance with FISMA from June 2011 through October 2011, and we reviewed security\ncontrols for Board applications throughout the year, in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objectives.\n\n      As part of an agency\xe2\x80\x99s annual FISMA reporting, the Office of Management and Budget\n(OMB) requests that both the Chief Information Officer (CIO) and the IG perform analysis of\ncertain information security program components. As discussed in OMB Memorandum 10-28,\nClarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President\nand the Department of Homeland Security (DHS), DHS is exercising primary responsibility\nwithin the Executive Branch for the operational aspects of federal agency cybersecurity with\nrespect to FISMA. As stated in previous FISMA guidance, agencies are required to adhere to\nDHS direction to report data through CyberScope (an automated FISMA reporting tool). In\nAugust 2011, DHS issued revised reporting requirements for IGs\xe2\x80\x99 analysis of their respective\nagency\xe2\x80\x99s information security management performance, in line with the requirements of\nFISMA. In accordance with DHS\xe2\x80\x99 revised requirements, our FISMA review included an\nanalysis of the Board\xe2\x80\x99s information security-related processes in the following areas: risk\nmanagement, continuous monitoring management, plans of action and milestones (POA&Ms),\nidentity and access management, remote access management, security configuration\nmanagement, security training, contractor oversight, contingency planning, incident response and\n\x0cBoard of Governors                             2                           November 14, 2011\n\nreporting, and security capital planning. Appendix 1 contains our analysis of the Board\xe2\x80\x99s\nprogress in implementing key FISMA requirements and discusses our recommendation and\nobservations in more detail. In addition to this report, we will provide our analysis to OMB\nunder separate cover via automated submission. Our response will be submitted with the CIO\xe2\x80\x99s\nresponse to the OMB reporting requirements.\n\n        Overall, we found that the Board\xe2\x80\x99s CIO continues to maintain a FISMA-compliant\napproach to the Board\xe2\x80\x99s information security program that is generally consistent with\nrequirements established by the National Institute of Standards and Technology (NIST) and\nOMB. The Information Security Officer (ISO) continues to issue and update information\nsecurity policies and guidelines. During 2011, the ISO developed an enterprise information\ntechnology (IT) risk assessment framework initiative and a continuous monitoring strategy and\nbegan to implement a new automated workflow support tool that will provide an automated\nworkflow method for documenting, reviewing, and approving the security posture of all Board\ninformation systems. In addition, the ISO took corrective actions in response to a number of\nopen recommendations from our prior FISMA reports.\n\n        To transform the Board\xe2\x80\x99s Certification and Accreditation process into the NIST Risk\nManagement Framework and implement new NIST requirements for assessing security controls,\nour 2010 FISMA report included two recommendations to the CIO: (1) continue to develop and\nimplement a Board-wide IT risk management strategy as required by the NIST Special\nPublication 800-53, Revision 3, Recommended Security Controls for Federal Information\nSystems and Organizations (SP 800-53), Program Management family of controls; and (2) as\nadditional NIST and OMB guidance is issued and becomes effective, develop a continuous\nmonitoring strategy and implement a continuous monitoring program as required by SP 800-53,\nSecurity Assessment and Authorization family of controls. Because the ISO developed and\nbegan implementation of an enterprise IT risk assessment framework within the Division of IT,\nwe are closing out the first recommendation. With the ISO issuing a continuous monitoring\nstrategy and beginning the implementation of an expanded continuous monitoring program, we\nare also closing our second 2010 recommendation.\n\n       Although progress has been made by the ISO to address the new NIST guidance regarding\nrisk management, the enterprise IT risk assessment framework needs to be fully implemented\nBoard-wide and the automated workflow support tool needs to be fully operational for the Board\nto meet the requirements of NIST\xe2\x80\x99s organization-wide risk management approach. Our report\ncontains one recommendation that the CIO complete and fully implement the enterprise IT risk\nassessment framework Board-wide along with ensuring the automated workflow support tool is\nfully operational in order to comply with updated NIST guidance on the new Risk Management\nFramework. In addition, our report includes matters for management\xe2\x80\x99s consideration based on\nour analysis of the Board\xe2\x80\x99s contractor oversight and security capital planning programs. While\nnot specifically required by NIST or OMB requirements, the following actions could help\nstrengthen the Board\xe2\x80\x99s information security posture: (1) under the Board\xe2\x80\x99s Contractor Oversight\nprogram, ensure that the Board\xe2\x80\x99s new automated workflow tool for managing the security\nposture of all Board information systems incorporates appropriate security management\ninformation for third party systems operated by Federal Reserve Banks on behalf of the Board\nand (2) under the Board\xe2\x80\x99s Security Capital Planning and Investment Program, to ensure adequate\n\x0cBoard of Governors                               3                             November 14, 2011\n\ntracking of system security investments, enhance the Board\xe2\x80\x99s system development methodology\nby clarifying steps to account and budget for security over the system life cycle; and analyze how\nsecurity capital planning information at the system and enterprise-level can be integrated into the\nIT performance dashboard to provide a more comprehensive understanding of the business value\nand performance of the Board\xe2\x80\x99s information systems.\n\n       Given the new NIST guidance regarding risk management, that incorporates risk\nassessment, we are also closing a recommendation from our 2008 FISMA report that the CIO\nensure risk assessments are adequately identifying, evaluating, and documenting the level of risk\nto information systems based on potential threats, vulnerabilities, and currently implemented or\nplanned controls, to determine whether additional controls are needed. We will continue to\nmonitor the ISO\xe2\x80\x99s actions in implementing the enterprise IT risk assessment framework Board-\nwide, which includes improving overall risk assessments. Our 2010 FISMA report also included\na third recommendation, for the CIO to identify all information technology services provided by\norganizations other than Board personnel, and determine if they need to be accredited as a third\nparty contractor system or as part of an existing General Support System or major application.\nWe believe the CIO has taken sufficient actions to close this recommendation.\n\n        As stated previously, we also review security controls implemented for Board applications\non an ongoing basis. During the past year, we completed security control reviews for two Board\nsystems: (1) the Board\xe2\x80\x99s public website system (PubWeb) and (2) the Visitor Registration\nSystem. We also completed a security control review of the Federal Reserve System\xe2\x80\x99s National\nRemote Access Services. Our reviews of these systems\xe2\x80\x99 information security controls have\nidentified areas where controls need to be strengthened. Given the sensitivity of the issues\ninvolved with these reviews, the specific results are being provided to management in separate\nrestricted reports that will be summarized on our publicly available website. During this year\xe2\x80\x99s\nFISMA review, we started audits of (1) the Board\xe2\x80\x99s contingency program, (2) third-party\napplications operated by the Federal Reserve Bank of Richmond in support of the Board\xe2\x80\x99s\nDivision of Banking Supervision and Regulation, and (3) the Federal Reserve System\xe2\x80\x99s Office of\nEmployee benefits and its third-party contractors.\n\n       We performed our application control testing based on selected controls identified in SP\n800-53. The controls are divided into \xe2\x80\x9cfamilies\xe2\x80\x9d (such as access, risk assessment, and personnel\nsecurity) and include controls that can be categorized as system-specific or common (applicable\nacross agency systems). Consequently, although our focus was on evaluating specific\napplications, we also assessed some of the common security controls that affect most, if not all,\nof the applications. In following up on open recommendations from prior security control\nreviews, we determined that sufficient corrective actions were taken to close 19 of 21 open\nrecommendations from 3 security control reviews. We will continue to follow up on actions\ntaken regarding our FISMA and security control review report recommendations as part of future\naudit and evaluation work related to information system security.\n\n     We provided a draft of our report to the Director of the Division of IT, in her capacity as\nthe CIO for FISMA, for review and comment. Her response is included as appendix 2. In her\nresponse, the director agreed with the recommendation that the CIO complete and fully\nimplement the enterprise IT risk assessment framework Board-wide along with ensuring the\n\x0cBoard of Governors                             4                            November 14, 2011\n\nautomated workflow support tool is fully operational for the Board to be compliant with updated\nNIST guidance on risk management.\n\n      We appreciate the cooperation that we received from the Board during our review. The\nprincipal contributors to this report are listed in appendix 3. We are providing copies of this\naudit report to Board management officials. The report will be added to our publicly-available\nweb site and will be summarized in our next semiannual report to Congress. Please contact me if\nyou would like to discuss the audit report or any related issues.\n\n                                          Sincerely,\n\n\n\n\n                                          Mark Bialek\n                                       Inspector General\n\ncc:   Ms. Maureen Hannan\n      Mr. Geary Cunningham\n      Mr. Raymond Romero\n\x0cAPPENDIXES\n\x0c\x0c                                                                                   APPENDIX 1\n\n\nThe Office of Inspector General\xe2\x80\x99s Analysis of the Board\xe2\x80\x99s Progress in\nImplementing Key FISMA and OMB Requirements\nThe following is our analysis of the Board\xe2\x80\x99s progress in implementing key FISMA requirements,\nincluding progress to date and work to be done. Our analysis identifies one new\nrecommendation (see page 11).\n\nRisk Management Program\n\nRequirement:\n\n       FISMA requires organizations to develop and implement an organization-wide\n       information security program for the information and information systems that support\n       the operations and assets of the organization, including those provided or managed by\n       another organization, contractor, or other source. For non-national security programs and\n       information systems, agencies must follow NIST standards and guidelines. For legacy\n       information systems, agencies are expected to be in compliance with NIST standards and\n       guidelines within one year of the publication date unless otherwise directed by OMB.\n       NIST has developed a Risk Management Framework and issued three special\n       publications to guide agencies through a structured process to identify the risks to the\n       information systems, assess the risks, and take steps to reduce risks to an acceptable\n       level.\n\n       In August 2009, NIST issued SP 800-53 that contained a new information security\n       Program Management (PM) family of controls. The PM controls focus on the\n       organization-wide information security requirements and directed organizations to\n       develop a comprehensive strategy to manage risk to organizational operations and assets,\n       individuals, other organizations, and the Nation associated with the operation and use of\n       information systems and implement that strategy consistently across the organization.\n       Additional information for this SP 800-53 control states that an organization-wide risk\n       management strategy includes, for example, an unambiguous expression of the risk\n       tolerance for the organization, acceptable risk assessment methodologies, risk mitigation\n       strategies, a process for consistently evaluating risk across the organization with respect\n       to the organization\xe2\x80\x99s risk tolerance, and approaches for monitoring risk over time.\n\n       In February 2010, NIST issued Special Publication 800-37, Revision 1, Guide for\n       Applying the Risk Management Framework to Federal Information Systems (SP 800-37).\n       SP 800-37 expands the concept of risk management and covers a strategic to tactical\n       organizational approach to risk management. SP 800-37 also promotes the NIST Risk\n       Management Framework that we discuss in our prior year report as the concept of near\n       real-time risk management and ongoing information system authorization through the\n       implementation of robust continuous monitoring processes, with emphasis on the\n       selection, implementation, and assessment of security controls; information systems\n       authorization; and security control monitoring.\n\n\n\n                                                7\n\x0c                                                                                  APPENDIX 1\n\n      In March 2011, NIST issued Special Publication 800-39, Managing Information Security\n      Risk (SP 800-39). SP 800-39 states it is imperative that leaders and managers at all levels\n      understand their responsibilities and are held accountable for managing information\n      security risk\xe2\x80\x94that is, the risk associated with the operation and use of information\n      systems that support the missions and business functions of their organizations.\n      Managing information security risk, like risk management in general, is not an exact\n      science. It brings together the best collective judgments of individuals and groups within\n      organizations responsible for strategic planning, oversight, management, and day-to-day\n      operations\xe2\x80\x94providing both the necessary and sufficient risk response measures to\n      adequately protect the missions and business functions of those organizations.\n\n      Figure 1 shows NIST\xe2\x80\x99s Risk Management Framework and identifies NIST\xe2\x80\x99s related\n      guidance.\n\n      Figure 1. NIST\xe2\x80\x99s Risk Management Framework\n\n\n\n\nProgress to Date:\n\n      SP 800-37, which was required to be implemented by February 2011, incorporates the\n      traditional processes the Board uses to authorize its information systems, but expands the\n      risk management approach to address risk-related concerns at the organizational level, the\n      mission and business level, and the information system level. SP 800-39, which is not\n      required to be implemented until March 2012, provides detailed guidance for\n      implementing the SP 800-37 requirement for an integrated, organization-wide program\n      for managing information security risk.\n\n      In prior years, the Board\xe2\x80\x99s information system risk management approach has been\n      generally focused at the information system level, which was promulgated by NIST\n      Special Publication 800-30, Risk Management Guide for Information Technology\n      Systems, the initial SP 800-37 (dated May 2004); SP 800-53; and other NIST\n                                               8\n\x0c                                                                           APPENDIX 1\n\npublications. The SP 800-53 PM family of controls focuses on organization-wide\ninformation security controls that are independent of any particular information system.\nSP 800-37 integrates organization risks into the system authorization process that\ncontinues to include an overall analysis of individual system risk based on the control\nfamilies contained in SP 800-53.\n\nFigure 2 shows a three-tiered approach introduced by SP 800-37 and expanded upon in\nSP 800-39 that revolves around the concepts that managing information system-related\nsecurity risks is a complex, multifaceted undertaking that requires the involvement of the\nentire organization\xe2\x80\x94from senior leaders providing the strategic vision and top-level\ngoals and objectives for the organization (Tier 1), to mid-level leaders planning and\nmanaging projects (Tier 2), to individuals on the front lines developing, implementing,\nand operating the systems supporting the organization\xe2\x80\x99s core missions and business\nprocesses (Tier 3).\n\nFigure 2. NIST\xe2\x80\x99s Three-tiered Approach to Risk Management\n\n\n\n\nOur 2010 Audit of the Board\xe2\x80\x99s Information Security Program (2010 FISMA report)\nincluded a recommendation that the CIO continue to develop and implement a Board-\nwide IT risk management strategy to meet the requirement of SP 800-53. The Board\xe2\x80\x99s\ninformation security program already addressed many of the controls in the PM family,\nbut prior to fully implementing an organization-wide program for managing information\nsecurity risk required by SP 800-37, the CIO needed to develop and formalize an\norganization-wide risk management strategy. During 2011, the ISO developed an\nenterprise IT risk assessment framework initiative and has begun implementation within\nthe Division of IT. We believe this meets the intent of our recommendation, and we are\nclosing our recommendation.\n\nWhen fully implemented, the enterprise IT risk assessment framework will identify those\nrisks that most greatly inhibit the Board from achieving its strategic objectives. In\naddition, the ISO has began to implement a new automated workflow support tool that\n\n                                         9\n\x0c                                                                                 APPENDIX 1\n\n     will provide an automated workflow method for documenting, reviewing, and approving\n     the security posture of all Board information systems. We will continue to monitor the\n     ISO\xe2\x80\x99s actions as he implements the enterprise IT risk assessment framework Board-wide.\n\n     The 2010 Division of IT strategic planning initiatives included a section on enterprise\n     risk management that states the purpose of this initiative is to identify, evaluate, and\n     manage risks that could impede the successful achievement of the Board's mission and\n     objectives. Through this process, Board divisions are expected to identify the residual\n     risks that cannot be mitigated to their satisfaction and that, if realized, would be\n     impediments to achieving their objectives. The 2010 and 2011 strategic planning\n     initiatives also include the following:\n\n        \xe2\x80\xa2   Developing an enterprise IT risk assessment;\n        \xe2\x80\xa2   Piloting the enterprise risk management process with Board division(s);\n        \xe2\x80\xa2   Preparing a common Enterprise Risk Management (ERM) framework for all\n            divisions to use in identifying key operational and reputational residual risks;\n        \xe2\x80\xa2   Developing an ongoing process for divisions to follow, assigning accountability\n            through clearly defined roles and responsibilities, using a common risk language\n            when evaluating the division\xe2\x80\x99s risks, and using a process to manage risks; and\n        \xe2\x80\xa2   Creating an approach to further FISMA/ERM compliance for embedded IT.\n\n     The 2011 strategic planning initiatives continued the focus on risks with the development\n     of a Division of IT Risk Management Committee. This committee is to provide guidance\n     and direction to the ISO and standing work groups tasked with addressing information\n     security and risk management issues.\n\nWork To Be Done:\n\n     The Division of IT has had components of the three-tiered risk management program in\n     place in prior years with a system level focus based on the existing guidance at that time.\n     Recent guidance has placed further emphasis on overall organizational risk management\n     at the Tier 1 and 2 levels. The additional risks that are considered at the organizational\n     level will ultimately need to be filtered down to the individual information systems and\n     IT General Support System. As previously discussed, the ISO has begun to implement a\n     new automated workflow support tool that will provide an automated workflow method\n     to filter down risks to individual information systems.\n\n     Although the Board has a process to document risks associated with an information\n     system being in compliance with a baseline of controls, our 2008 FISMA report included\n     a recommendation that the CIO ensure risk assessments are adequately identifying,\n     evaluating, and documenting the level of risk to information systems based on potential\n     threats, vulnerabilities, and currently implemented or planned controls, to determine\n     whether additional controls are needed. Given the new NIST guidance regarding risk\n     management that incorporates risk assessments, we are closing this recommendation. We\n     will continue to monitor the ISO\xe2\x80\x99s actions in implementing the enterprise IT risk\n     assessment framework Board-wide, which includes improving overall risk assessments.\n\n                                             10\n\x0c                                                                                 APPENDIX 1\n\n\n\n      Although progress has been made by the ISO to address the new NIST guidance\n      regarding risk management, an enterprise IT risk assessment framework needs to be fully\n      implemented Board-wide and the automated workflow support tool needs to be fully\n      operational for the Board to meet the requirements of NIST\xe2\x80\x99s organization-wide risk\n      management approach.\n\n      Recommendation 1: We recommend that the CIO complete and fully implement the\n                        enterprise IT risk assessment framework across all divisions, along\n                        with ensuring the automated workflow support tool is fully\n                        operational, in order to comply with updated NIST guidance on the\n                        new Risk Management Framework.\n\nContinuous Monitoring Program\n\nRequirement:\n\n      In September 2011, NIST issued Special Publication 800-137, Information Security\n      Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (SP\n      800-137). SP 800-137 ties continuous monitoring into the NIST Risk Management\n      Framework with a target audience of individuals with implementation and operational\n      responsibilities for mission/business processes, system development and integration,\n      system and/or security management oversight, security control assessment and\n      monitoring, and security.\n\n      Although NIST and OMB have placed a focus on continuous monitoring, FISMA has\n      always required that an agency\xe2\x80\x99s information security program include an entity-wide\n      continuous monitoring program to assess the security state of information systems in\n      accordance with NIST and OMB FISMA related requirements. SP 800-137 provides\n      new perspectives for manual and automated continuous monitoring and details the major\n      phases of establishing, implementing, and maintaining an agency information security\n      continuous monitoring program. Agencies are expected to be in compliance with NIST\n      standards and guidelines within one year of the publication date unless otherwise directed\n      by OMB.\n\n      SP 800-137 states organization-wide monitoring cannot be efficiently achieved through\n      either manual processes or automated processes alone. Where manual processes are\n      used, the processes are repeatable and verifiable to enable consistent implementation.\n      Automated processes, including the use of automated support tools (such as vulnerability\n      scanning tools and network scanning devices), can make the process of continuous\n      monitoring more cost-effective, consistent, and efficient. Many of the technical security\n      controls defined in SP 800\xe2\x80\x9053 are good candidates for monitoring using automated tools\n      and techniques. Real\xe2\x80\x90time monitoring of implemented technical controls using\n      automated tools can provide an organization with a much more dynamic view of the\n      effectiveness of those controls and the security posture of the organization.\n\n\n\n                                              11\n\x0c                                                                                 APPENDIX 1\n\n      Organizations take the following steps to establish, implement, and maintain a continuous\n      monitoring program:\n         \xe2\x80\xa2 Define a continuous monitoring strategy;\n         \xe2\x80\xa2 Establish a continuous monitoring program;\n         \xe2\x80\xa2 Implement a continuous monitoring program;\n         \xe2\x80\xa2 Analyze data and report findings;\n         \xe2\x80\xa2 Respond to findings; and\n         \xe2\x80\xa2 Review and update the continuous monitoring strategy and program.\n\n      A robust continuous monitoring program enables organizations to move from\n      compliance-driven risk management to data-driven risk management that provides\n      organizations with information necessary to support risk response decisions, security\n      status information, and ongoing insight into security control effectiveness.\n\nProgress to Date:\n\n      Our 2010 FISMA report discussed the Board\xe2\x80\x99s transition to the NIST Risk Management\n      Framework and that the Board can improve and integrate both manual and automated\n      monitoring processes into its continuous monitoring efforts to mature existing\n      information security processes. This includes the annual testing of information system\n      controls that the ISO has had in operation for many years as part of meeting FISMA\n      requirements. Each year the ISO reviews one-third of the baseline controls for Board\n      applications, with certain critical controls tested every year.\n\n      Our 2010 FISMA report included a recommendation that as additional NIST and OMB\n      guidance is issued and becomes effective, the CIO develop a continuous monitoring\n      strategy and implement a continuous monitoring program as required by NIST 800-53,\n      Revision 3, Security Assessment and Authorization family of controls. During 2011, the\n      ISO developed a continuous monitoring strategy based on a framework devised by DHS\n      in concert with other agencies such as the Department of State. The ISO\xe2\x80\x99s continuous\n      monitoring strategy indicates that DHS has developed the framework as a maturity model\n      that will help agencies determine next steps in developing a continuous monitoring\n      program. The framework consists of four subsystems:\n\n          \xe2\x80\xa2   Sensor Subsystem\n          \xe2\x80\xa2   Database/Repository Subsystem\n          \xe2\x80\xa2   Analysis/Risk Scoring Subsystem\n          \xe2\x80\xa2   Presentation and Reporting Subsystem\n\n      The CIO continues to implement vulnerability scanning and network monitoring tools,\n      including intrusion detection and audit log consolidation processes to identify and defend\n      against cyber attacks. The ISO\xe2\x80\x99s continuous monitoring strategy lists tools (such as\n      various software scanning and logging tools) that are currently in use or planned for use\n      at the Board. The ISO is utilizing these tools and processes to meet NIST and OMB\n      requirements for continuous monitoring. The ISO plans to implement this framework\n      through September 2012.\n\n                                              12\n\x0c                                                                                APPENDIX 1\n\n      With the ISO issuing a continuous monitoring strategy and beginning the implementation\n      of an expanded continuous monitoring program, we are closing our 2010\n      recommendation. The ISO\xe2\x80\x99s continuous monitoring strategy incorporates the use of the\n      automated workflow support tool that will make use of many of the security monitoring\n      mechanisms already in place for the Board\xe2\x80\x99s IT infrastructure and embedded division\n      information technology operations. The strategy document reflects six automated data\n      gathering mechanisms that are currently in use and additional mechanisms that are\n      planned to be in place by July 2012. We will monitor the ISO\xe2\x80\x99s actions in implementing\n      the continuous monitoring program.\n\nWork To Be Done:\n\n      Since our 2010 FISMA report, the ISO has developed a continuous monitoring strategy\n      and started the implementation of a new automated workflow support tool, and NIST has\n      now issued SP 800-137 that provides more defined guidance on information system\n      security continuous monitoring.\n\n      The ISO anticipates that the new automated workflow support tool will provide an\n      efficient and automated workflow method for documenting, reviewing, and approving the\n      security posture of all Board information systems. The ISO indicated that system\n      categorization worksheets, system security plan information, supplemental control\n      questionnaire items, and control baselines for all the major applications and IT General\n      Support System components will be loaded into the automated tool by the end of 2011.\n      Also, test results for major applications, as well as risk assessments and POA&M\n      information, is planned for addition by the fourth quarter 2011. The ISO stated that\n      General Support System subsystems and minor applications will be added in 2012. We\n      will continue to monitor the overall development of the new continuous monitoring\n      initiatives.\n\nPlan of Action & Milestones Program\n\nRequirement:\n\n      FISMA requires agencies to establish a process for addressing any deficiencies in\n      information security policies, procedures, and practices. OMB guidance requires\n      agencies to prepare and submit POA&Ms for all program reviews and evaluations where\n      information technology security weaknesses are identified. OMB guidance further states\n      that an agency\xe2\x80\x99s POA&M program should track and monitor known information security\n      weaknesses, include documented policies and procedures, and establish and adhere to\n      reasonable remediation dates. The guidance also calls for the CIO to centrally track and\n      independently review and validate the POA&M activities at least quarterly.\n\n\n\n\n                                             13\n\x0c                                                                                                   APPENDIX 1\n\n\nProgress to Date:\n\n         Our 2009 FISMA report recommended that the CIO independently verify that appropriate\n         corrective action has been implemented before items are removed from the Board\xe2\x80\x99s\n         POA&M. Our security control reviews had identified instances where POA&M items\n         that were designated as completed and removed from POA&Ms were only partially or\n         not effectively remediated, which translates into extended security exposures for Board\n         systems.\n\n         In response to our recommendation, the ISO established POA&M procedures for the\n         ISO\xe2\x80\x99s Information Security Compliance staff to validate the remediation of action items\n         during a system control review or otherwise request documentation to determine if\n         corrective action has been sufficiently completed. Items with insufficient evidence or\n         those that have been delayed will be evaluated as to why the actions have not been\n         completed and revised accordingly with an updated completion date.\n\n         We have reviewed supporting documentation that substantiates the implementation of the\n         ISO\xe2\x80\x99s independent verification of POA&M action items. Based on this verification\n         program we are closing our 2009 recommendation.\n\nWork To Be Done:\n\n         Now that the independent verification program has been implemented, the ISO plans for\n         this to be an ongoing process and part of the continuous monitoring program.\n         Verification of supporting documentation will be part of the remediation of completed\n         actions. We will monitor the ongoing verification process as part of the overall\n         development of the new continuous monitoring initiatives.\n\nIdentity and Access Management Program\n\nRequirement:\n\n         The Board is required to establish and maintain an identity and access management\n         program that is consistent with FISMA requirements, OMB policy, and applicable NIST\n         guidelines. Such a program should include:\n\n              \xe2\x80\xa2   Documented policies and procedures for account and identity management,\n              \xe2\x80\xa2   Identification of all users that access agency systems,\n              \xe2\x80\xa2   Integration between the Agency\xe2\x80\x99s Personal Identity Verification (PIV) program,\n                  which includes the use of a PIV smartcard for access to facilities and information\n                  systems, and its use of multi-factor authentication 1, and\n              \xe2\x80\xa2   Identification of devices that are attached to the agency\xe2\x80\x99s network.\n\n1\n Multi-factor authentication refers to using two or more factors to achieve authentication. These factors can include\n(1) passwords, (2) electronic tokens, and/or (3) biometrics. In the context of an agency\xe2\x80\x99s PIV program, multi-factor\nauthentication can refer to granting access to an information system based on a PIV card and a password.\n\n                                                         14\n\x0c                                                                                   APPENDIX 1\n\n      The Board\xe2\x80\x99s information security program requires controls to be incorporated for all\n      information systems that ensure each user, or process acting on behalf of a user, is\n      uniquely identified and authenticated. The Board\xe2\x80\x99s information security program\n      requires that only authorized users have access to information systems and that access be\n      based on business requirements. Further, security officials are required to implement\n      account management processes for establishing, activating, modifying, disabling, and\n      removing system accounts.\n\nProgress to Date:\n\n      Identification and authentication includes security controls designed to verify the identity\n      of individual users, processes, or devices as a prerequisite to allowing access to\n      information systems and data. Identification and authentication can be accomplished\n      using various means, such as passwords, card tokens, biometrics, or some combination\n      thereof. We found that the ISO has established and is maintaining an identity and access\n      management program that is generally consistent with NIST and OMB FISMA\n      requirements.\n\n      The Division of IT\xe2\x80\x99s General Support System provides identification and authentication\n      services that Board systems rely on. This includes Active Directory network level\n      authentication, Lotus Notes user identification and passwords, and remote access using\n      multifactor authentication. The Board has also developed a central process for issuing\n      and managing network user identification. As part of this process, the Board\xe2\x80\x99s human\n      resources system generates a unique network ID prior to an employee\xe2\x80\x99s start date. This\n      information is communicated to the IT security unit, which adds the user to Active\n      Directory and other systems as needed.\n\n      Active Directory provides a way to manage elements of a network, including desktops,\n      servers, groups, users, domains, security policies, and user-defined and computer-defined\n      objects. Our 2010 FISMA report noted that local change-control processes and\n      procedures utilized for Active Directory updates were not documented in the Division of\n      IT\xe2\x80\x99s policies and procedures. In 2011, the ISO updated procedures for the Board\xe2\x80\x99s\n      Active Directory operating environment. These procedures cover configuration\n      management and change control, account management, and audit and accountability.\n      The ISO has also implemented automated tools to ensure consistent configuration of\n      active directory settings Board-wide.\n\nWork To Be Done:\n\n      As part of the Board\xe2\x80\x99s physical security program, PIV cards are used for physical access\n      control to its buildings, but are not used to provide access to information systems. Multi-\n      factor authentication at the Board is implemented with use of a token that is separate\n      from the PIV card that all employees have and use for access to Board buildings. The\n      ISO has a pilot program underway to test the use of PIV cards for access to the Board\xe2\x80\x99s\n      network. This pilot program is currently limited to specific Board staff.\n\n\n\n                                               15\n\x0c                                                                                  APPENDIX 1\n\n      Our 2010 FISMA report noted that the Board does not identify or authenticate devices\n      that are attached to the network or have the capability to distinguish these devices from\n      users. Our review also noted that compensating controls were in place and that several\n      initiatives were underway to identify devices. During our 2011 FISMA review, we found\n      that the ISO has not implemented a solution to identify or authenticate devices attached to\n      the Board\xe2\x80\x99s network. The ISO plans to pilot such a solution in 2012. As part of our\n      ongoing work related to information security, we will continue to monitor the ISO\xe2\x80\x99s\n      efforts to strengthen the Board\xe2\x80\x99s identity and access management program.\n\nRemote Access Program\n\nRequirement:\n\n      NIST requires agencies to establish and maintain a remote access program that (1)\n      includes documented policies and procedures for authorizing, monitoring, and controlling\n      all methods of remote access; (2) protects against unauthorized connections or subversion\n      of authorized connections; and (3) uniquely identifies and authenticates users for all\n      access.\n\nProgress to Date:\n\n      As part of our 2011 FISMA work in analyzing the Board\xe2\x80\x99s remote access program, we\n      completed an audit of the Federal Reserve System\xe2\x80\x99s National Remote Access Services\n      (NRAS) infrastructure. The Board and the 12 Federal Reserve Banks use NRAS for\n      remotely accessing Board and Federal Reserve Bank information systems. Our\n      objectives were to evaluate the effectiveness of selected security controls and techniques\n      to ensure the Board maintains a remote access program that is generally compliant with\n      FISMA requirements.\n\n      Our review was divided into two separate phases, with the first phase primarily\n      addressing technical and operational control areas, and the second phase addressing\n      procedures. Overall, our review found that the Federal Reserve\xe2\x80\x99s remote access system is\n      technically and operationally sound, and the Board has developed an adequate process to\n      administer the token keys for Board personnel.\n\nWork To Be Done:\n\n      Although our review found that the Federal Reserve\xe2\x80\x99s remote access system is technically\n      and operationally sound, we identified opportunities to strengthen information security\n      controls to help ensure the Federal Reserve\xe2\x80\x99s remote access system meets FISMA\xe2\x80\x99s\n      requirements. While we did not identify any significant improvement opportunities, we\n      did note that NRAS is not fully in compliance with FISMA and the Board\xe2\x80\x99s information\n      security program. NRAS is considered a contracted service\xe2\x80\x94it is not an application that\n      stores or processes Board data, and it is not listed on the Board\xe2\x80\x99s FISMA inventory.\n\n\n\n\n                                              16\n\x0c                                                                                 APPENDIX 1\n\n       The Reserve Banks have established plans to implement an enterprise information\n       security program based on the NIST framework. The Reserve Banks plan to transition\n       over multiple years. As the Reserve Banks implement a FISMA compliant program,\n       NRAS will be brought into compliance. We will continue to monitor the CIO\xe2\x80\x99s and\n       ISO\xe2\x80\x99s actions in overseeing the Reserve Banks\xe2\x80\x99 compliance with FISMA as they\n       transition to an information security program based on the NIST framework.\n\nSecurity Configuration Management\n\nRequirement:\n\n       The Board is required to establish and maintain a security configuration management\n       program that is generally consistent with NIST and OMB FISMA requirements. SP 800-\n       53 established configuration management controls that cover operational aspects such as\n       policy, baseline configuration, configuration change control, security impact analysis,\n       access restrictions for changes, configuration settings, least functionality, information\n       system component inventory, and configuration management plan. The Board\xe2\x80\x99s\n       information security program requires that the changes to configuration settings of\n       infrastructure services require approvals, testing, and documentation and need to be\n       performed within the scheduled maintenance window.\n\n       The configuration of an information system and its components has a direct impact on the\n       security posture of the system. A baseline configuration is a set of specifications for a\n       system, that has been formally reviewed and agreed upon at a given point in time and that\n       can be changed only through change control procedures. This baseline configuration is\n       used as a basis for future builds, releases, and/or changes. Changes to the configuration\n       are often needed to stay up-to-date with changing business functions and services and\n       information security needs.\n\n       In August 2011, NIST issued Special Publication 800-128, Guide for Security-Focused\n       Configuration Management of Information Systems (SP 800-128). SP 800-128 states that\n       security-focused configuration management of information systems involves a set of\n       activities that can be organized into four major phases\xe2\x80\x94Planning, Identifying and\n       Implementing Configurations, Controlling Configuration Changes, and Monitoring.\n       These different phases address the key aspects of maintaining a desired security posture\n       in the Board\xe2\x80\x99s environment.\n\nProgress to date:\n\n       The Board\xe2\x80\x99s security configuration management program is generally consistent with\n       NIST and OMB FISMA requirements. The ISO has established operating environment\n       documents and procedures for its infrastructure services. This configuration management\n       process is an ongoing operational support function and covers baseline security controls\n       and corresponding configuration settings of infrastructure components. The authorized\n       changes to configurations are documented in the Division of IT\xe2\x80\x99s change control system.\n       The patches and upgrades that are essential for hardware, operating systems, and software\n       are applied during a scheduled maintenance window as required under the Board\xe2\x80\x99s\n\n                                              17\n\x0c                                                                                 APPENDIX 1\n\n      information security program. The changes to application configurations require\n      approval from system owners and require necessary testing and analysis.\n\nWork to be done:\n\n      In our review of the Board\xe2\x80\x99s contingency plan for infrastructure services, we noted that\n      there is not separate and detailed documentation of security configuration settings for\n      infrastructure services at the contingency site. Once we complete our review we will\n      report our results under separate cover.\n\n      In our 2010 FISMA report, we identified as a matter for management\xe2\x80\x99s consideration that\n      the CIO should evaluate separately accrediting the Board\xe2\x80\x99s infrastructure services\n      supporting external facing systems and clarify guidance to assist system owners in\n      managing application level security settings. The ISO continues to make progress in this\n      area. The Information Security Unit is continuously monitoring the external facing\n      systems for threats and vulnerabilities. We will continue to monitor the ISO\xe2\x80\x99s actions in\n      implementing security configuration management.\n\nSecurity Training Program\n\nRequirement:\n\n      FISMA requires that an agency\xe2\x80\x99s information security program include security\n      awareness training to inform all personnel, including contractors and other users of\n      information systems that support the agency\xe2\x80\x99s operations and assets, of the information\n      security risks associated with their activities, as well as their responsibilities for\n      complying with agency policies and procedures. FISMA also requires that the CIO train\n      and oversee personnel with significant responsibilities for information security. NIST\n      and OMB require that the program includes (a) security awareness training for the entire\n      staff, (b) training content based on the organization and roles, and (c) tracking of\n      employees with significant information security responsibilities that require specialized\n      training.\n\nProgress to Date:\n\n      The Board continues to require all Board employees, contractors, and interns to complete\n      an annual security awareness quiz that includes topics such as security incidents, safety\n      precautions for international travel, handling personally identifiable information, and\n      phishing-fraudulent e-mails. The ISO also publishes periodic articles discussing various\n      computer security topics, such as tips on how to become a highly secure computer user,\n      as well as conducts annual training on the Board\xe2\x80\x99s information security program, updates,\n      and changes. Board divisions also continue to report to the ISO on the status of\n      specialized training for personnel with significant information system security\n      responsibilities.\n\n      The Board\xe2\x80\x99s security awareness training program is geared towards creating awareness of\n      FISMA requirements and the Board Information Security Program for various end users,\n\n                                              18\n\x0c                                                                                  APPENDIX 1\n\n      including system owners, developers, managers, quality assurance analysts, and\n      authorizing officials who are responsible for making decisions regarding information\n      systems. Our 2009 FISMA report contained a recommendation that the CIO provide\n      mandatory specific FISMA training for selected staff with FISMA responsibilities.\n      Our 2010 FISMA analysis of security training continued to identify key individuals\n      responsible for various aspects of ensuring the security of Board systems who had not\n      attended any session of the FISMA training provided by the CIO.\n\n      During 2011, the ISO established a process that entailed the ISO and the Manager for the\n      Information Security Compliance group providing a Board Information Security Program\n      training update to each of the Board divisions\xe2\x80\x99 key end users, such as system owners,\n      authorizing officials, and system managers, some of whom did not attend the annual\n      information security program training that is provided by the ISO. As a result of the\n      performance of this information security program update, we are closing our\n      recommendation that specific FISMA training be provided for selected staff with FISMA\n      responsibilities.\n\nWork To Be Done:\n\n      The ISO has performed a Board information system security program training activity\n      that helps fill a training gap for a number of the key end users for Board systems. Some\n      key end users may miss the opportunity to attend the annual Board information security\n      program overview, updates, and changes training sessions that are generally conducted\n      by the ISO in the first quarter of each year. The ISO should consider how the recently\n      completed division-by-division update can be integrated into the overall Board\n      information systems security training program to better ensure full Board coverage. We\n      will continue to monitor the ISO\xe2\x80\x99s annual FISMA training efforts.\n\nContractor Oversight Program\n\nRequirement:\n\n      FISMA requires agencies to provide information security for the information and\n      information systems that support the operations and assets of the agency, including those\n      provided or managed by another agency, contractor, or other source. The Board\xe2\x80\x99s\n      information security program requires third parties, including Federal Reserve Banks,\n      other agencies, and commercial providers, to employ appropriate security controls to\n      protect Board information and services provided. The level of controls provided by third\n      parties must be comparable to NIST standards.\n\nProgress to Date:\n\n      The ISO has developed a security policy that applies to all third parties that collect or\n      maintain Board information or that operate or use information systems on behalf of the\n      Board. The ISO has also published an inventory guide that outlines how the Board\n      accounts for all information assets and tracks the security compliance of all systems,\n\n                                              19\n\x0c                                                                                 APPENDIX 1\n\n     including systems used or operated by third parties on behalf of the Board. In addition,\n     the ISO has developed an inventory of systems that identifies third party systems and\n     their Federal Information Processing Standards (FIPS) 199, Standards for Security\n     Categorization of Federal Information and Information Systems, risk rating,\n     authorization status, and interconnections.\n\n     The Board\xe2\x80\x99s third party systems are primarily located within the Federal Reserve Banks.\n     The ISO and the Board\xe2\x80\x99s Division of Banking Supervision and Regulation (BS&R)\n     perform on-site security reviews of Federal Reserve Bank systems that store or process\n     Board data to ensure that the systems are meeting the Board\xe2\x80\x99s information security\n     program requirements. Further, BS&R has developed and implemented the Board\n     Information Security Program Management System (BISPMS), an automated tool to\n     facilitate standardization and consistency in implementation of the requirements of the\n     Board\xe2\x80\x99s information security program for Federal Reserve Bank systems that store or\n     process Board data. The BISPMS is used by BS&R to conduct security control\n     assessments, store system security documentation, and report on compliance activities.\n\n     Our 2010 FISMA report identified a contractor service that, while being essential to the\n     Board\xe2\x80\x99s recruitment process, was not included in the Board\xe2\x80\x99s FISMA inventory. We\n     recommended that the CIO identify all information technology services provided by\n     organizations other than Board personnel and determine if they need to be accredited as a\n     third party contractor system or as part of an existing General Support System or major\n     application. In response to our recommendation, the ISO updated the Board\xe2\x80\x99s FISMA\n     inventory to include the contractor service we identified. Further, the ISO undertook a\n     broader effort to identify other third party systems and services across the Board that are\n     not on the FISMA inventory and their associated security requirements. As such, we are\n     closing our 2010 recommendation.\n\nWork To Be Done:\n\n     The Federal Reserve Banks are not required to follow NIST and OMB guidance but have\n     decided to transition to an information security program that is based on standards and\n     policies developed by NIST. The planned benefits include clarifying information\n     security risks from an enterprise perspective and providing better support for Board\n     customers who are already utilizing NIST standards and guidance. The migration to this\n     new information security program has begun for Federal Reserve Bank national IT\n     infrastructures. This includes IT infrastructure that Federal Reserve Banks rely on for\n     such functions as Internet access, search functionality, remote access, and electronic mail.\n     The Federal Reserve Banks plan to transition their respective systems to the new program\n     by 2013.\n\n     As stated earlier, BS&R is utilizing BISPMS for Federal Reserve Bank systems that store\n     or process Board information. As previously discussed in the Risk Management Program\n     section of this report, the ISO is in the process of transitioning Board divisions to an\n     automated workflow support tool that provides an automated workflow for documenting,\n     reviewing, and approving the security posture of all Board information systems, as\n     required by FISMA.\n\n                                             20\n\x0c                                                                                 APPENDIX 1\n\n      Both tools are used to support FISMA compliance activities for Board systems and they\n      serve similar purposes. The ISO\xe2\x80\x99s tool currently does not include in its automated\n      workflow support tool information on BS&R\xe2\x80\x99s FISMA continuous monitoring activities\n      for Federal Reserve Bank systems that store or process Board information. For example,\n      the BISPMS contains information on security control assessments and POA&Ms for\n      Federal Reserve Bank systems that store or process Board information. Security control\n      assessments and POA&Ms provide important information on security weaknesses and\n      related mitigation plans. Including this information within the Board\xe2\x80\x99s automated\n      workflow support tool could assist the ISO in implementing the Board\xe2\x80\x99s risk management\n      and continuous monitoring strategies mentioned earlier in our report. As part of our\n      ongoing work related to information security, we will continue to monitor the ISO\xe2\x80\x99s\n      actions in overseeing third parties\xe2\x80\x99 compliance with FISMA and the requirements of the\n      Board\xe2\x80\x99s information security program.\n\n      Matters for Management\xe2\x80\x99s Consideration: Ensure that the Board\xe2\x80\x99s automated\n      workflow support tool for managing the security posture of all Board information\n      systems incorporates appropriate security management information for third party\n      systems operated by Federal Reserve Banks on behalf of the Board.\n\nContingency Planning\n\nRequirement:\n\n      FISMA requires that agency information security programs include plans and procedures\n      to ensure continuity of operations for information systems that support the agency\xe2\x80\x99s\n      operations and assets. In May 2010, NIST issued Special Publication 800-34 Revision 1,\n      Contingency Planning Guide for Federal Information Systems (SP 800-34). SP 800-34\n      states that information system contingency planning is a coordinated strategy involving\n      plans, procedures, and technical measures that enable the recovery of information\n      systems, operations, and data after a disruption.\n\n      Contingency planning considerations and strategies address the impact to Board\n      operations and functions based on availability security objectives of mission critical\n      applications. SP 800-34 defines a seven-step contingency planning process. These seven\n      progressive steps are designed to be integrated into each stage of the system development\n      life cycle: (1) develop the contingency planning policy statement; (2) conduct the\n      business impact analysis; (3) identify preventive controls; (4) create contingency\n      strategies; (5) develop an information system contingency plan; (6) ensure plan testing,\n      training, and exercises; and (7) ensure plan maintenance. In addition, the NIST guidance\n      requires that agencies\xe2\x80\x99 continuity of operations must be sustained within 12 hours and for\n      up to 30 days, from an alternate site.\n\n      NIST SP 800-53 also establishes contingency planning controls that are essential for\n      recovery and reconstitution of an information system in contingency scenarios. These\n      controls cover information system operational aspects that include policy, planning,\n\n\n                                              21\n\x0c                                                                                     APPENDIX 1\n\n       training, testing, alternate storage site, alternate processing site, telecommunication\n       services, backup, recovery, and reconstitution.\n\nProgress to date:\n\n       The Board is maintaining an agency-wide business continuity plan that is consistent with\n       NIST and OMB requirements. The Board continues to conduct semi-annual contingency\n       tests of its mission critical applications. The Board divisions are participating in these\n       tests to verify that their applications are working as designed in a contingency situation.\n       The ISO has issued a Business Impact Analysis template as guidance to determine\n       individual applications\xe2\x80\x99 continuity of operations requirements. The semi-annual tests\n       include testing and availability of infrastructure services that are essential for mission\n       critical applications. Access to the Board\xe2\x80\x99s contingency site is restricted to authorized\n       Board staff only. In addition to Board identification badges issued to employees, a\n       separate identification badge is necessary to access the contingency site. The issues\n       identified during the contingency tests are recorded in the help desk system, and\n       appropriate IT staff is assigned to these issues for resolution.\n\nWork to be done:\n\n       We are currently reviewing security controls of the Board\xe2\x80\x99s contingency program, which\n       we will report under separate cover. The Board\xe2\x80\x99s contingency planning, logistics,\n       implementation, and testing of operations are handled by different divisions. The\n       Board\xe2\x80\x99s continuity of operations document identifies the key personnel and their\n       corresponding technical teams and reporting hierarchy that are responsible for different\n       areas of infrastructure services. However, a central point of contact for Board-wide\n       coordination, validation, reporting, and verification of the mission critical applications\n       would improve efficiency. In addition, a Board-wide process of reconciliation and\n       monitoring of what applications were tested and reporting of the test results should be\n       established. The IT infrastructure resources and the capacity at the contingency site also\n       need to be analyzed to ensure consistency with the Board\xe2\x80\x99s primary data center\n       capabilities.\n\nIncident Response & Reporting\n\nRequirement:\n\n       The Board is required to create, provision, and operate a formal incident response\n       capability. Federal law requires federal agencies to report incidents to the United States\n       Computer Emergency Readiness Team (US-CERT) office within DHS.\n\n       An incident response capability is necessary for rapidly detecting incidents, minimizing\n       loss and destruction, mitigating the weaknesses that were exploited, and restoring\n       computing services. Performing incident response effectively is a complex undertaking,\n       and establishing a successful incident response capability requires substantial planning\n       and resources. Continually monitoring threats through intrusion detection and prevention\n\n                                                22\n\x0c                                                                                    APPENDIX 1\n\n       systems and other mechanisms is essential. The typical types of incidents include denial\n       of service, malicious code, unauthorized access, inappropriate usage, and lost or stolen\n       devices/storage media, including laptops. The incident response team is required to offer\n       services such as advisory distribution, vulnerability assessment, intrusion detection,\n       education and awareness, and patch management.\n\n       FISMA requires agencies to develop procedures for detecting, reporting, and responding\n       to security incidents. SP 800-53 established eight information security controls that are\n       recommended for implementing incident response controls. These controls cover\n       operational aspects of incident handling, such as training, testing, monitoring, and\n       reporting. NIST Special Publication 800-61, Revision 1, Computer Security Incident\n       Handling Guide, states that an incident response capability should include the following\n       actions: (1) creating an incident response policy and plan; (2) developing procedures for\n       performing incident handling and reporting, based on the incident response policy; (3)\n       setting guidelines for communicating with outside parties regarding incidents; (4)\n       selecting a team structure and staffing model; (5) establishing relationships between the\n       incident response team and other groups, both internal (such as the legal department) and\n       external (such as law enforcement agencies); (6) determining what services the incident\n       response team should provide; and (7) staffing and training the incident response team.\n\nProgress to date:\n\n       The Board has issued the Information Security Incident Handling Guide as an appendix\n       to the Board\xe2\x80\x99s information security program. This guidance helps users to appropriately\n       handle security incidents and identifies the roles and responsibilities of the incident\n       response team. In addition, the Board has issued Device and Document Loss Notification\n       Report, a form that should be used to report lost/stolen Board devices such as mobile\n       phones, storage media, and laptops. The ISO produces quarterly performance reports on\n       security incidents, security patches, virus protection, POA&M\xe2\x80\x99s, and penetration test\n       findings. The ISO continues to send monthly security log information to US-CERT and\n       reports security incidents within established timeframes. In addition, the ISO has\n       implemented automated tools for detecting intrusions, centralized log file analysis, and\n       network analyzers for prevention of denial of service attacks.\n\nWork to be done:\n\n       The ISO continues to post security related articles, security incidents, and advisories on\n       the Board\xe2\x80\x99s internal website. We will continue to monitor incident reporting and\n       handling at the Board as part of our ongoing FISMA related audit work.\n\nSecurity Capital Planning and Investment Program\n\nRequirement:\n\n       FISMA requires agencies to ensure that information security management processes are\n       integrated with strategic and operational planning processes. Capital planning and\n\n                                                23\n\x0c                                                                                 APPENDIX 1\n\n      investment control refers to a decision-making process for ensuring IT investments\n      integrate strategic planning, budgeting, and IT management considerations. NIST SP\n      800-65, Integrating IT Security into the Capital Planning and Investment Control\n      Process, issued January 2005, notes that while security and capital planning have\n      traditionally been thought of as separate activities, FISMA charges agencies with\n      integrating the two.\n\n      SP 800-65 distinguishes between enterprise-level and system-level security investments.\n      Enterprise-level security investments are ubiquitous across the agency and are designed\n      to improve the overall agency\xe2\x80\x99s security posture. Examples include an enterprise-wide\n      firewall or intrusion detection system. System-level investments are designed to\n      strengthen a discrete system\xe2\x80\x99s security environment, such as strengthening password\n      controls or testing a contingency plan. SP 800-65 further states that at the system level\n      managers should account and budget for IT security over the investment life cycle. This\n      information will flow to the enterprise level to support IT compliance and integration\n      activities.\n\n      The 2011 DHS FISMA reporting questions direct IGs to determine if their agency has\n      established and maintains a security capital planning and investment program. DHS\n      outlines specific attributes that should be included in such a program, including\n      employment of Exhibit 53, Agency IT Investment Portfolio, and Exhibit 300, Capital\n      Asset Plan and Business Case Summary, to record required information security\n      resources. Federal agencies that receive appropriated funding are required to submit\n      these exhibits to OMB annually to request and justify their planned budget for IT and\n      information security. The Board does not receive appropriated funds from Congress. As\n      such, several of the security capital planning and investment program attributes DHS has\n      asked the IGs to evaluate, including use of Exhibit 53\xe2\x80\x99s and Exhibit 300\xe2\x80\x99s, are not\n      directly applicable to the Board.\n\nProgress to Date:\n\n      The Board has developed an overall governance approach for capital planning and\n      budgeting that covers investments in information security. Board divisions are required\n      to prepare and submit budget and planning requests for information security investments\n      to the Strategic Planning Group (SPG). The SPG reviews the requests and makes\n      recommendations to the Committee on Board Affairs (CBA). The CBA in turn is\n      responsible for approving the Board\xe2\x80\x99s overall budget.\n\n      The Division of IT has established a system development methodology (SDM) that\n      provides a framework for managing project life cycles. The SDM includes seven phases\n      that are designed to ensure that systems meet business requirements, use appropriate\n      technology, and meet quality standards. The phases include project initiation, planning,\n      requirements specification, design and development, testing, implementation, and\n      maintenance. The SDM requires that the estimated budget and resources required to\n      complete a project be stipulated and updated as the project progresses. In addition, as\n      part of its POA&M program, the ISO requires Board divisions to provide a high-level\n\n\n                                              24\n\x0c                                                                                APPENDIX 1\n\n     estimate of the man hours and/or funds required to address the identified weaknesses or\n     enhancements.\n\n     The Division of IT has also implemented an initial version of an IT performance\n     reporting dashboard that is designed to capture the business value and performance of the\n     Board\xe2\x80\x99s information systems. Currently, the dashboard is focused on providing an\n     overview of performance, such as security patching, virus detection, and POA&M\n     reporting. For POA&M reporting, the dashboard provides quantitative information on\n     the status of remediation efforts. The Board plans to evolve the dashboard to provide a\n     comprehensive picture of IT performance.\n\nWork To Be Done:\n\n     As stated earlier, the Board\xe2\x80\x99s SDM requires that resources and budget estimates be\n     documented and updated throughout a project\xe2\x80\x99s lifecycle. However, the SDM does not\n     specifically require managers to account and budget for security over the system life\n     cycle. For example, as part of the maintenance phase of the SDM, security configuration,\n     change management, and continuous monitoring activities would be performed for a\n     system. This would include monitoring security controls through vulnerability scans and\n     penetration testing. While the SDM requires managers to ensure that resources are\n     available to support maintenance activities, it does not specifically require managers to\n     account and budget for these activities.\n\n     Budget information related to system security activities could serve as an input to the IT\n     performance reporting dashboard to provide a more comprehensive view of the business\n     value and performance of Board information systems. For instance, expenditures for\n     continuous monitoring activities could be used in conjunction with information on system\n     vulnerabilities and patching to determine the impact of resources spent.\n\n     As noted in the section of our report on the Board\xe2\x80\x99s risk management program, the ISO is\n     in the process of implementing an automated workflow support tool to provide a\n     workflow method for documenting, reviewing, and approving the security posture of all\n     Board information systems. Information on security weaknesses for all Board systems is\n     to be included in this tool. When fully implemented for all Board divisions, this tool\n     could help the ISO in identifying system-level and enterprise-level security investments\n     that could increase the overall security posture of the Board and mitigate risks.\n\n     Matters for Management\xe2\x80\x99s Consideration: To ensure adequate tracking of system\n     security investments, the CIO should enhance the Board\xe2\x80\x99s system development\n     methodology by clarifying steps to account and budget for security over the system life\n     cycle and analyze how security capital planning information at the system and enterprise-\n     level can be integrated into the IT performance dashboard to provide a more\n     comprehensive understanding of the business value and performance of the Board\xe2\x80\x99s\n     information systems.\n\n\n\n\n                                             25\n\x0c\x0c     APPENDIX 2\n\n\n\n\n27\n\x0c\x0c                                                                               APPENDIX 3\n\n\n\nPrincipal Contributors to the Report\nRobert McMillon, Auditor-in-Charge\n\nKhalid Hasan, Senior IT Auditor\n\nSatynarayana-Setty Sriram, IT Auditor\n\nRobert Delgesso, IT Auditor\n\nPeter Sheridan, OIG Manager\n\nAndrew Patchan, Jr., Associate Inspector General for Audits and Attestations\n\n\n\n\n                                              29\n\x0c"